System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

suid on directory does not change ownership to that of owner of directory ??

 
SOLVED
Go to solution
Sammy_2
Super Advisor

suid on directory does not change ownership to that of owner of directory ??

HPUX 11.11

# ls -ld /app/test
drwsrwsr-x 2 subir01 eteam 1024 Oct 20 11:58 /app/test

If user "clyde18" touches file in above dir, I was expecting the owner to be subir01 (according to SUID set on directory) . Why is OS setting owner to that of the userid who touched file.
$ id
uid=12216(clyde18) gid=206(eteam)
$ touch /app/test/myperms

$ ls -ld /app/test/myperms
-rw-rw---- 1 clyde18 eteam 0 Oct 20 12:11 /app/test/myperms


Thanks for help in advance.




good judgement comes from experience and experience comes from bad judgement.
7 REPLIES 7
Highlighted
jerry1
Super Advisor
Solution

Re: suid on directory does not change ownership to that of owner of directory ??

Because that is the behavior now.
Setting u+s does not make files created in
that directory owned by owner of the directory. Only the group if g+s is set.

The man pages are not kept up to date
nowadays.
James R. Ferguson
Acclaimed Contributor

Re: suid on directory does not change ownership to that of owner of directory ??

Hi Sammy:

The directory's *group* owner is what will be conferred to the newly created file when the the directory has its 'setgid' bit set.

Regards!

...JRF...
Sammy_2
Super Advisor

Re: suid on directory does not change ownership to that of owner of directory ??

Thanks Jerry and JRF.
Then do you know of a way so I can redirect user's history file to a directory so he can not delete or edit it. Right now, the .sh_history file is owned by the user by default and so he can modify it.


.profile of user "dp" below
======
HISTFILE="$ARCHIVE_DIR/.sh_history_$LOGNAME_PID_$$" ; export HISTFILE



output in $ARCHIVE_DIR

Right now, the dp user can edit this file and delete the commands he entered.

-rw------- 1 dp escript 174 Oct 20 14:33 .sh_history_DP_PID_8243


Thanks
good judgement comes from experience and experience comes from bad judgement.
Patrick Wallek
Honored Contributor

Re: suid on directory does not change ownership to that of owner of directory ??

If the user can't edit the history file, how is he/she supposed to use the history functionality?
James R. Ferguson
Acclaimed Contributor

Re: suid on directory does not change ownership to that of owner of directory ??

Hi (again) Sammy:

> Then do you know of a way so I can redirect user's history file to a directory so he can not delete or edit it. Right now, the .sh_history file is owned by the user by default and so he can modify it.

You're asking for your cake and to eat it too.

The shell needs to have write-access to the directory in which you tell it to create a history file. Directory write-access infers the ability to delete a file. File write-ability means that all or some the data within can be munged.

Regards!

...JRF...
Sammy_2
Super Advisor

Re: suid on directory does not change ownership to that of owner of directory ??

Thanks to all who replied.

The goal was to monitor user activities (once they sudo to application acct) so if they rm a file, we (sys admins and mgrs) can look in the history log who did what. Mgmt wanted to prevent users from cleaning their own .sh_history file after some nefarious activity.

But seems like we can't do it so may have to suggest powerbroker tool (which costs money).

Thanks
good judgement comes from experience and experience comes from bad judgement.
Dennis Handly
Acclaimed Contributor

Re: suid on directory does not change ownership to that of owner of directory ??

>JRF: The shell needs to have write-access to the directory in which you tell it to create a history file.

No it doesn't if you manually create an empty file there. But this doesn't really help.

>File write-ability means that all or some the data within can be munged.

Unfortunately this is what will allow the data to be munged.
What Sammy needs is a file with append only access, a pipe. Unfortunately that won't work as a history file.